Debian DSA-3332-1 : wordpress - security update

high Nessus Plugin ID 85355

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been fixed in Wordpress, the popular blogging engine.

- CVE-2015-2213 SQL Injection allowed a remote attacker to compromise the site.

- CVE-2015-5622 The robustness of the shortcodes HTML tags filter has been improved. The parsing is a bit more strict, which may affect your installation. This is the corrected version of the patch that needed to be reverted in DSA 3328-2.

- CVE-2015-5730 A potential timing side-channel attack in widgets.

- CVE-2015-5731 An attacker could lock a post that was being edited.

- CVE-2015-5732 Cross site scripting in a widget title allows an attacker to steal sensitive information.

- CVE-2015-5734 Fix some broken links in the legacy theme preview.

The issues were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandi of the WordPress security team, Netanel Rubin of Check Point, Ivan Grigorov, Johannes Schmitt of Scrutinizer and Mohamed A.
Baset.

Solution

Upgrade the wordpress packages.

For the stable distribution (jessie), these problems have been fixed in version 4.1+dfsg-1+deb8u4.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794548

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794560

https://security-tracker.debian.org/tracker/CVE-2015-2213

https://security-tracker.debian.org/tracker/CVE-2015-5622

https://security-tracker.debian.org/tracker/CVE-2015-5730

https://security-tracker.debian.org/tracker/CVE-2015-5731

https://security-tracker.debian.org/tracker/CVE-2015-5732

https://security-tracker.debian.org/tracker/CVE-2015-5734

https://packages.debian.org/source/jessie/wordpress

https://www.debian.org/security/2015/dsa-3332

Plugin Details

Severity: High

ID: 85355

File Name: debian_DSA-3332.nasl

Version: 2.15

Type: local

Agent: unix

Published: 8/13/2015

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:8.0, p-cpe:/a:debian:debian_linux:wordpress

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 8/11/2015

Reference Information

CVE: CVE-2015-2213, CVE-2015-5622, CVE-2015-5730, CVE-2015-5731, CVE-2015-5732, CVE-2015-5734

DSA: 3332